Requirement

Description of Risk

Attackers can discover and exploit user accounts still valid in the system but no longer needed for business purposes.

Recommendations

Account monitoring and management controls provide a gatekeeper function to prevent and detect unauthorized activities that may lead to loss of covered data. When implemented correctly, these controls allow resource proprietors and resource custodians to control precisely who has access to covered data and detect inappropriately granted access before data loss events occur. Start with the recommendations below to implement an account monitoring and management process:

Administrative account credentials (passphrases, encryption keys or other authentication devices) are also covered data, and must be protected according to applicable MSSEI requirements. (See the Additional Resources section for more guidance.)

Account Review

Employ a process to review accounts assigned to both users and applications/services on a quarterly basis.

The review process validates the continued business need for each active account with the Resource Proprietor and ensures that application/service account credentials will be disabled when no longer needed.

The review process should also reconcile existing active accounts with account access requests; any access privileges not approved by the Account Management process should be noted and revoked immediately.

Review account and privilege updates, with special emphasis on administrative privilege updates, for suspicious activities that may signal compromised accounts. Examples of suspicious activities include unauthorized changes to existing administrative accounts and privileges, new administrative accounts/groups created without approval or documentation, etc.